b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n             Information Technology Management \n\n               Letter for the U.S. Citizenship and \n\n            Immigration Services Component of the \n\n            FY 2010 DHS Financial Statement Audit\n \n\n\n\n\n\nOIG-11-74                                              April 2011\n\x0c                                                                          Office ofInspector General\n\n                                                                          U.S. Dep(lrtmellt ofHome/(llld\n                                                                          Security\n                                                                          Washington, DC 20528\n\n\n\n\n                                                                   Homeland\n                                                                   Security\n                                       APR 13 2011\n\n\n                                            Preface\n\nThe Department of Romeland Security (DRS) Office ofInspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2010 U.S.\nCitizenship and Immigration Services (USCIS) component of the DRS financial statement audit\nas of September 30, 2010. It contains observations and recommendations related to information\ntechnology internal control that were summarized in the Independent Auditors\' Report dated\nNovember 12,2010 and presents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit procedures\nat the USCIS component in support of the DRS FY 2010 financial statements and prepared this\nIT management letter. KPMG is responsible for the attached IT management letter dated March\n18,2011, and the conclusions expressed in it. We do not express opinions on DRS\' financial\nstatements or internal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                   ~4v\n                                   Fra~ rt:ffl\'\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036-3389\n\n\n\n\nMarch 18, 2011\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nU.S. Citizenship and Immigration Services\n\nLadies and Gentlemen:\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment), as of September 30, 2010 and the related statement of custodial activity for the year then\nended (herein after referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the\nDepartment\xe2\x80\x99s internal control over financial reporting of the balance sheet as of September 30, 2010 and\nthe statement of custodial activity for the year then ended. We were not engaged to audit the statements\nof net cost, changes in net position, and budgetary resources as of September 30, 2010 (hereinafter\nreferred to as \xe2\x80\x9cother fiscal year (FY) 2010 financial statements\xe2\x80\x9d), or to examine internal control over\nfinancial reporting over the other FY 2010 financial statements.\nBecause of matters discussed in our Independent Auditors\xe2\x80\x99 Report, dated November 12, 2010, the scope\nof our work was not sufficient to enable us to express, and we did not express, an opinion on the financial\nstatements or on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting of the balance sheet as\nof September 30, 2010, and related statement of custodial activity for the year then ended. Additional\ndeficiencies in internal control over financial reporting, potentially including additional material\nweaknesses and significant deficiencies, may have been identified and reported had we been able to\nperform all procedures necessary to express an opinion on the financial statements or on the effectiveness\nof DHS\xe2\x80\x99 internal control over financial reporting of the balance sheet as of September 30, 2010, and\nrelated statement of custodial activity for the year then ended; and had we been engaged to audit the other\nFY 2010 financial statements, and to examine internal control over financial reporting over the other FY\n2010 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and correct\nmisstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to merit\nattention by those charged with governance. A material weakness is a deficiency, or a combination of\ndeficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of\nthe entity\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a timely basis.\nThe United States Citizenship and Immigration Services (USCIS) is a component of DHS. During our\naudit engagement, we noted certain matters in the areas of information technology (IT) configuration\nmanagement, access controls, segregation of duties, and security management with respect to USCIS\xe2\x80\x99\nfinancial systems information technology (IT) general controls, which we believe contribute to an IT\nmaterial weakness at the DHS level. These matters are described in the IT General Control Findings and\nRecommendations section of this letter.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS\n\n                                Financial Statement Audit\n\n                                    KPMG LLP is a Delaware limited liability partnership,\n                                    the U.S. member firm of KPMG International Cooperative\n                                    (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution letter mentioned in that report.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR).\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or detect and\ncorrect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to\nthe risk that controls may become inadequate because of changes in conditions, or that the degree of\ncompliance with the policies or procedures may deteriorate. We aim to use our knowledge of USCIS\ngained during our audit engagement to make comments and suggestions that are intended to improve\ninternal control over financial reporting or result in other operating efficiencies. We have not considered\ninternal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key USCIS financial systems and IT infrastructure within the scope of our engagement to\naudit the FY 2010 DHS financial statements in Appendix A; a listing of the FY 2010 IT Notices of\nFindings and Recommendations (NFR) at USCIS din Appendix B; and the status of the prior year NFRs\nand a comparison to current year NFR\xe2\x80\x99s at USCIS in Appendix C. Our comments related to certain\nadditional matters have been presented in a separate letter to the Office of Inspector General and the\nUSCIS Chief Financial Officer.\n\nUSCIS\xe2\x80\x99 written response to our comments and recommendations has not been subjected to auditing\nprocedures and, accordingly, we express no opinion on it.\n\nThis communication is intended solely for the information and use of DHS and USCIS management,\nDHS Office of Inspector General, Office of Management and Budget (OMB), U.S. Government\nAccountability Office, and the U.S. Congress, and is not intended to be and should not be used by anyone\nother than these specified parties.\n\nVery truly yours,\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS\n \n\n                                Financial Statement Audit\n \n\n\x0c                              Department of Homeland Security\n \n\n                     United States Citizenship and Immigration Services\n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n                                      TABLE OF CONTENTS\n                                                                                                   Page\nObjective, Scope, and Approach \t                                                                    1\n \n\n\n\nSummary of Findings and Recommendations \t                                                           2\n \n\n\n\nIT General Control Findings and Recommendations \n\n       Configuration Management                                                                     3\n\n\n       Access Controls                                                                              3\n\n\n       Segregation of Duties                                                                        4\n\n\n       Security Management                                                                          4\n \n\n\n\nApplication Control                                                                                 6\n\n\nManagement Comments and OIG Response                                                                6\n\n\n                                            APPENDICES\n \n\nAppendix                                           Subject                                         Page\n\n\n\n   A\t \t     Description of Key USCIS Financial Systems and IT Infrastructure within the Scope of    7\n \n\n            the FY 2010 DHS Financial Statement Audit Engagement \n\n   B\t \t     FY 2010 Notices of IT Findings and Recommendations at USCIS                             10\n \n\n            \xef\xbf\xbd    Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings            11\n \n\n   C        Status of Prior Year Notices of Findings and Recommendations and Comparison to          19\n \n\n            Current Year Notices of Findings and Recommendations at USCIS\n \n\n   D        Management Comments                                                                     21\n \n\n\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS\n                             Financial Statement Audit\n\x0c                                Department of Homeland Security\n \n\n                       United States Citizenship and Immigration Services\n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\n\nIn connection with our engagement to audit DHS\xe2\x80\x99 balance sheet as of September 30, 2010 and the related\nstatement of custodial activity for the year then ended, we performed an evaluation of information\ntechnology general controls (ITGC) at USCIS, to assist in planning and performing our audit. The DHS \xe2\x80\x93\nImmigration and Customs Enforcement (ICE) hosts key financial applications for USCIS. As such, our\naudit procedures over information technology (IT) general controls for USCIS included testing of the\nICE\xe2\x80\x99s Active Directory\\Exchange (ADEX) network and the Federal Financial Management System\n(FFMS) policies, procedures, and practices, as well as USCIS policies, procedures and practices at USCIS\nHeadquarters.\n\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the Government\nAccountability Office (GAO), formed the basis of our ITGC evaluation procedures. The scope of the\nITGC evaluation is further described in Appendix A. FISCAM was designed to inform financial auditors\nabout IT controls and related audit concerns to assist them in planning their audit work and to integrate\nthe work of auditors with other aspects of the financial audit. FISCAM also provides guidance to IT\nauditors when considering the scope and extent of review that generally should be performed when\nevaluating general controls and the IT environment of a federal agency. FISCAM defines the following\nfive control functions to be essential to the effective operation of the ITGC environment.\n\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   those systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our ITGC audit procedures, we also performed technical security testing for key network\nand system devices, as well as testing over key financial application controls in the ICE environment.\nThe technical security testing was performed both over the Internet and from within select ICE facilities,\nand focused on test, development, and production devices that directly support USCIS general support\nsystems. In addition to testing ICE\xe2\x80\x99s general control environment, we tested controls around the FFMS\nmigration to the Clarksville Data Center (DC2) in Clarksville, VA.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 1 \n\n\x0c                                Department of Homeland Security\n \n\n                       United States Citizenship and Immigration Services\n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring fiscal year (FY) 2010, USCIS took corrective action to address some prior year IT control\ndeficiencies. For example, USCIS made improvements over ADEX system administrator recertification,\nphysical controls at the Manassas Data Center, and access controls over security software. However,\nduring FY 2010, we continued to identify IT general control deficiencies that could potentially impact\nUSCIS\xe2\x80\x99s financial data. The most significant findings from a financial statement audit perspective were\nrelated to the FFMS configuration and patch management, and deficiencies within Computer Linked\nApplication Information Management System (CLAIMS) 3 LAN and CLAIMS 4 user account\nmanagement. Collectively, the IT control deficiencies limited USCIS\xe2\x80\x99s ability to ensure that critical\nfinancial and operational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these control deficiencies negatively impacted the internal controls over USCIS\nfinancial reporting and its operation and we consider them to contribute to a material weakness at the\nDepartment level under standards established by the American Institute of Certified Public Accountants\n(AICPA). In addition, based upon the results of our test work, we noted that ICE did not fully comply\nwith the requirements of the Federal Financial Management Improvement Act (FFMIA).\n\nOf the 14 findings identified during our FY 2010 testing, three were new IT findings. These findings\nrepresent control deficiencies in four of the five FISCAM key control areas: configuration management,\naccess controls, segregation of duties, and security management. Specifically, these control deficiencies\ninclude: 1) a lack of strong password management and audit logging within the financial applications, 2)\nsecurity management issues involving staff security training and exit processing procedure weaknesses, 3)\ninadequately designed and operating configuration management, and 4) the lack of effective segregation\nof duties controls within financial applications. These control deficiencies may increase the risk that the\nconfidentiality, integrity, and availability of system controls and USCIS financial data could be exploited\nthereby compromising the integrity of financial data used by management as reported in DHS\xe2\x80\x99\nconsolidated financial statements. While the recommendations made by KPMG should be considered by\nUSCIS, it is the ultimate responsibility of USCIS management to determine the most appropriate\nmethod(s) for addressing the control deficiencies identified based on their system capabilities and\navailable resources.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 2 \n\n\x0c                                Department of Homeland Security\n \n\n                       United States Citizenship and Immigration Services\n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n            IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nDuring the FY 2010 DHS financial statement audit, we identified the following USCIS IT and financial\nsystem control deficiencies that in the aggregate significantly contribute to the material weakness at the\nDepartment level.\n\nConfiguration Management\n\xef\xbf\xbd\t Security configuration management control deficiencies on ADEX. These control deficiencies\n   included default installation and configuration settings on the Cisco routers.\n\xef\xbf\xbd\t Security configuration management over FFMS included:\n            \xef\xbf\xbd\t Network and servers were installed with default configuration settings and protocols.\n            \xef\xbf\xbd\t Mainframe production databases were installed and configured without baseline security\n               configurations.\n            \xef\xbf\xbd\t Servers have inadequate patch management.\n\n\nAccess Control\n\n\xef\xbf\xbd\t The following account management control deficiencies over ADEX, CLAIMS 3 LAN, and CLAIMS\n   4:\n            \xef\xbf\xbd\t The lack of recertification of CLAIMS 3 LAN and CLAIMS 4 system users.\n            \xef\xbf\xbd\t Inefficient definition and documentation of CLAIMS 3 LAN and CLAIMS 4 access roles\n               were noted.\n            \xef\xbf\xbd\t User access is not documented and maintained for ADEX, CLAIMS 3 LAN, and\n               CLAIMS 4.\n            \xef\xbf\xbd\t CLAIMS 4 password configurations do not meet DHS requirements.\n            \xef\xbf\xbd\t Terminated personnel still have active user accounts within CLAIMS 3 LAN and\n               CLAIMS 4.\n\xef\xbf\xbd\t Lack of processes in place for sanitization of equipment and media.\n\xef\xbf\xbd\t Ineffective safeguards over physical access to sensitive facilities and resources at the DC2 and the\n   USCIS Vermont Service Center.\n\xef\xbf\xbd\t Lack of policies and procedures for maintaining and reviewing CLAIMS 3 LAN and CLAIMS 4 audit\n   logs.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 3 \n\n\x0c                                 Department of Homeland Security\n \n\n                        United States Citizenship and Immigration Services\n \n\n                             Information Technology Management Letter\n                                        September 30, 2010\n\nSegregation of Duties\n\xef\xbf\xbd\t Segregation of duties controls were not enforced through access authorizations in CLAIMS 4.\n\nSecurity Management\n\xef\xbf\xbd\t Procedures for transferred/terminated personnel exit processing are not finalized.\n\xef\xbf\xbd\t IT Security training is not mandatory nor is compliance monitored.\n\n\nRecommendations:\nWe recommend that the USCIS Chief Information Officer (CIO) and Chief Financial Officer (CFO), in\ncoordination with the DHS Office of Chief Financial Officer and the DHS Office of the Chief Information\nOfficer, make the following improvements to USCIS\xe2\x80\x99s financial management systems and associated\ninformation technology security program.\n\n\nFor Configuration Management\nUnless specifically noted where USCIS needs to take specific corrective action, we recommend that the\nUSCIS CIO and CFO, in coordination with the ICE Office of Chief Financial Officer and the ICE Office\nof the Chief Information Officer, make the following improvements to ICE\xe2\x80\x99s information technology:\n\xef\xbf\xbd\t Ensure that password configuration settings are properly and effectively applied.\n\xef\xbf\xbd\t Implement the appropriate FFMS database and network server patches in order to ensure patch\n   management compliance.\n\nFor USCIS, we recommend\n\xef\xbf\xbd\t Monitor the ICE Mission Action Plan (MAP) for the ADEX and FFMS vulnerabilities that impact\n   USCIS operations.\n\nFor Access Controls\n\xef\xbf\xbd\t Finalize the CLAIMS 3 LAN and CLAIMS 4 account management procedures that address account\n   identification, set-up, recertification, and termination and access request form maintenance.\n\xef\xbf\xbd\t Review CLAIMS 3 LAN accounts that have been inactive for 45 days and remove users on the Office\n   of Human Capital and Training (HCT) attrition bi-weekly list.\n\xef\xbf\xbd\t Finalize the CLAIMS 3 LAN Account Management procedures that address account identification,\n   set-up, recertification, and termination and access request form maintenance.\n\xef\xbf\xbd\t Recertify CLAIMS 3 LAN accounts and ensure a current and valid access request form is maintained.\n\xef\xbf\xbd\t Finalize and issue the USCIS management directive on Information System Account management.\n\xef\xbf\xbd\t Evaluate the risk imposed on the CLAIMS 4 system by not modifying the password history from 6 to\n   8. If it is deemed that the risk is low, USCIS should submit a Waivers and Exceptions Request Form\n   to the DHS Chief Information Security Officer (CISO). If the risk is deemed medium or high, USCIS\n   should implement the password changes to meet DHS requirements.\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 4 \n\n\x0c                               Department of Homeland Security\n \n\n                      United States Citizenship and Immigration Services\n \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\xef\xbf\xbd\t Finalize and implement the CLAIMS 4 Account Management Procedures that address account\n   identification, set-up, recertification, and termination and access request form maintenance.\n\xef\xbf\xbd\t Finalize the USCIS Media Protection Management Directive and the USCIS Media Protection\n   Procedures and ensure they are readily available to USCIS personnel.\n\xef\xbf\xbd\t Finalize the Media Protection Procedures for the Vermont Service Center (VSC). In addition, USCIS\n   should test VSC\xe2\x80\x99s Office of Information Technology (OIT) Visitor Policy and Procedures to ensure\n   they address physical security.\n\xef\xbf\xbd\t Finalize the USCIS Audit and Accountability Management Directive and implement enterprise audit\n   logging software.\n\n\nFor Segregation of Duties\n\xef\xbf\xbd\t Finalize the CLAIMS 4 account management procedures that address account identification, set-up,\n   recertification, and termination and access request form maintenance.\n\nFor Security Management\n\xef\xbf\xbd\t Implement and enforce exit clearance policies and procedures to be followed in the event of transfer,\n   termination or separation of federal and contract personnel. Resources should be made available to\n   communicate the updated procedures to personnel, train mission support staff who have a critical role\n   in the updated process, and enforce and monitor compliance with the exit procedures and policies.\n\xef\xbf\xbd\t Update and provide IT security training materials utilized during the New Employee Orientation\n   Program (NEOP).\n\xef\xbf\xbd\t Maintain a monthly report of all new hires and the information security awareness training date\n   completion.\n\xef\xbf\xbd\t Continue utilization of the Department of Status (DOS) Computer Security Awareness Training\n   (CSAT) tool to provide annual information security awareness training to all USCIS employees.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 5 \n\n\x0c                               Department of Homeland Security\n \n\n                      United States Citizenship and Immigration Services\n \n\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\n\n\n                                   APPLICATION CONTROLS\n\nAs a result of the control deficiencies noted above in the Information Technology General Controls,\nmanual compensating controls were tested in place of application controls.\n\n\n\n                    MANAGEMENT COMMENTS AND OIG RESPONSE\n\n\nThe OIG received written comments on a draft of this report from USCIS management. Generally,\nUSCIS management agreed with all of our findings and recommendations. USCIS management has\ndeveloped a remediation plan to address these findings and recommendations. A copy of the comments is\nincluded in Appendix D.\n\n\nOIG Response\nWe agree with the steps that USCIS management is taking to satisfy these recommendations.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 6 \n\n\x0c                                                                            Appendix A\n                          Department of Homeland Security\n \n\n                 United States Citizenship and Immigration Services\n \n\n                      Information Technology Management Letter\n                                 September 30, 2010\n\n\n\n\n                                   Appendix A\n\n\nDescription of Key USCIS Financial Systems and IT Infrastructure\n within the Scope of the FY 2010 DHS Financial Statement Audit\n\n\n\n\n Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                              Financial Statement Audit \n\n                                        Page 7 \n\n\x0c                                                                                           Appendix A\n                               Department of Homeland Security\n                      United States Citizenship and Immigration Services\n                           Information Technology Management Letter\n                                      September 30, 2010\n\nCLAIMS 3 Local Area Network (LAN)\nCLAIMS3 LAN provides USCIS with a decentralized, geographically dispersed LAN based mission\nsupport case management system, with participation in the centralized CLAIMS 3 Mainframe data\nrepository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I and II, Immigration Act\nof 1990 (IMMACT 90) and USCIS forms improvement projects. The CLAIMS 3 LAN is located at the\nfollowing service centers and district offices: Nebraska, California, Texas, Vermont, Baltimore District\nOffice, and Administrative Appeals Office. CLAIMS 3 executes on Dell 220 S (EMC), RAID Controller,\nDisk Storage servers protected by firewalls, and Windows 2003, MS Sp2 as the operating system and\nPervasive database software and is used to enter and track immigration applications. CLAIMS 3 LAN\ninterfaces with the following systems:\n\xef\xbf\xbd   Citizenship and Immigration Services Centralized Oracle Repository (CISCOR)\n\xef\xbf\xbd   CLAIMS 3 Mainframe\n\xef\xbf\xbd   Integrated Card Production System (ICPS)\n\xef\xbf\xbd   CLAIMS 4\n\xef\xbf\xbd   E-filing\n\xef\xbf\xbd   Benefits Biometric Support System (BBSS)\n\xef\xbf\xbd   Refugee, Asylum, and Parole System (RAPS)\n\xef\xbf\xbd   National File Tracking System (NFTS)\n\xef\xbf\xbd   Integrated Card Production System (ICPS)\n\xef\xbf\xbd   Customer Relationship Interface System (CRIS)\n\xef\xbf\xbd   USCIS Enterprise Service Bus (ESB)\n\nCLAIMS 4\nThe purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a client/server\napplication. CLAIMS 4 runs off of Sunfire 890, 490, Solaris 9, and Oracle 9iR2 servers with Oracle 9i,\nWindows NT, and Windows 2000 Server operating systems and are protected by firewalls. The central\nOracle Database that runs off Oracle Enterprise 9i is located in Washington, DC while application servers\nand client components are located throughout USCIS service centers and district offices. CLAIMS 4\ninterfaces with the following systems:\n\xef\xbf\xbd   Central Index System (CIS)\n\xef\xbf\xbd   Reengineered Naturalization Automated Casework System (RNACS)\n\xef\xbf\xbd   CLAIMS 3 LAN and Mainframe\n\xef\xbf\xbd   Refugee, Asylum, and Parole System (RAPS)\n\xef\xbf\xbd   Enterprise Performance Analysis System (ePAS)\n\xef\xbf\xbd   National File Tracking System (NFTS)\n\xef\xbf\xbd   Asylum Pre-Screening System (APSS)\n\xef\xbf\xbd   USCIS Enterprise Service Bus (ESB)\n\xef\xbf\xbd   Biometrics Benefits Support System (BBSS)\n\xef\xbf\xbd   Enterprise Citizenship and Immigration Service Centralized Operational Repository (eCISOR)\n\xef\xbf\xbd   Customer Relationship Interface System (CRIS)\n\xef\xbf\xbd   FD 258 Enterprise Edition and Mainframe\n\xef\xbf\xbd   Site Profile System (SPS)\n\n    Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                 Financial Statement Audit \n\n                                           Page 8 \n\n\x0c                                                                                            Appendix A\n                                Department of Homeland Security\n \n\n                       United States Citizenship and Immigration Services\n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\nFederal Financial Management System (FFMS)\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency\nfinancial transactions. It is used to create and maintain a record of each allocation, commitment,\nobligation, travel advance and accounts receivable issued. It is the system of record for the agency and\nsupports all internal and external reporting requirements. FFMS is a commercial off-the-shelf financial\nreporting system and is built on Oracle 9i Relational Database Management System running off an IBM\n9672 Mainframe with ZOS 1.4 platform. The FFMS operating system operates off an IBM ZOS, Version\n1.4 Mainframe Server and Microsoft Windows 2000 report servers protected by firewalls. It includes the\ncore system used by accountants, FFMS Desktop that is used by average users, and a National Finance\nCenter (NFC) payroll interface. As of July 2010, the FFMS mainframe component and two network\nservers are hosted at the DHS DC2 facility located in Clarksville, Virginia. Prior to July, the system was\nhoused at Department of Commerce located in Springfield, VA. FFMS currently interfaces with the\nfollowing systems:\n\xef\xbf\xbd\t Direct Connect for transmission of DHS payments to Treasury\n\xef\xbf\xbd\t Fed Travel\n\xef\xbf\xbd\t The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data Inquiry\n   (CADI), for the purpose of processing NFC user account and payroll information.\n\xef\xbf\xbd\t The Debt Collection System (DCOS)\n\xef\xbf\xbd\t Bond Management Information System (BMIS) Web\n\nICE Network\nThe ICE Network, also known as the ADEX E-mail System, is a major application for ICE and other\nDHS components, such as the USCIS. The ADEX servers and infrastructure for the headquarters and\nNational Capital Area are located on the third floor of the Potomac Center North Tower in Washington,\nDC. The ICE Network utilizes a hybrid mesh/hub and mesh network design to maximize redundancy\nthroughout the network. ICE operates off of Dell PowerEdge 2950, HP ProLiant DL 385 Server, HP\nProLiant BL45p Server Blade, HP BL 25P Blade Server, and EMC Symmetrix DM. ADEX has\nimplemented Microsoft Windows 2003 Enterprise Server operating system to provide directory, domain\ncontrol, and network services to clients. For security purposes, ADEX has implemented firewalls and a\nlogical Layer-3 encrypted overlay network through the use of Generic Routing Encapsulation (GRE) and\nIPSec tunneling. ADEX currently interfaces with the following systems:\n\xef\xbf\xbd\t Diplomatic Telecommunications Service Program Office (DTSPO) ICENet Infrastructure\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                          Page 9 \n\n\x0c                                                                           Appendix B\n                         Department of Homeland Security\n \n\n                United States Citizenship and Immigration Services\n \n\n                     Information Technology Management Letter\n                                September 30, 2010\n\n\n\n\n                                  Appendix B \n\nFY 2010 Notices of IT Findings and Recommendations at USCIS \n\n\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n\n                                      Page 10 \n\n\x0c                                                                                           Appendix B\n                                Department of Homeland Security\n \n\n                       United States Citizenship and Immigration Services\n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the\nDepartment of Homeland Security (DHS) Consolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of severity\nfor consolidated reporting purposes.\n\nThese rating are provided only to assist the DHS in prioritizing the development of its corrective action\nplans for remediation of the deficiency.\n\n\n\n\n   Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                Financial Statement Audit \n\n                                         Page 11 \n\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n \n\n                                      United States Citizenship and Immigration Services\n \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\n                                       Notice of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n NFR                                                                                                                     New     Repeat   Severity\n                               Condition                                          Recommendation\n #No.                                                                                                                    Issue    Issue    Rating\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we         The USCIS Office of Information Technology                      X         3\n 10-01    performed inquiry follow-up to determine the status of   (OIT) will finalize the CLAIMS 3 LAN Account\n          this weakness and learned that the access roles at the   Management Procedures that address account\n          National Benefits Center (NBC) for CLAIMS3 LAN           identification,   set-up,  recertification, and\n          have not be defined and documented. USCIS has            termination and access request form maintenance.\n          begun some corrective action; however, these issues      These procedures reflect how all CLAIMS 3 LAN\n          have not been fully remediated.                          accounts will be managed at each facility that\n                                                                   utilizes the CLAIMS 3 LAN.\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we         The USCIS OIT will continue to review CLAIMS                    X          3\n 10-02    performed inquiry follow-up to determine the status of   3 LAN accounts for those that have been inactive\n          this weakness and learned that the weakness has not      for 45 days manually and to remove user\xe2\x80\x99s that\n          been remediated for CLAIMS3 LAN periodic user            appear on the Office of Human Capital and\n          access reviews. USCIS has begun some corrective          Training (HCT) attrition bi-weekly list. OIT will\n          action; however, these issues have not been fully        finalize the CLAIMS 3 LAN Account\n          remediated.                                              Management Procedures that address account\n                                                                   identification,    set-up,    recertification, and\n                                                                   termination and access request form maintenance.\n                                                                   OIT will continue to work with the OIT Account\n                                                                   Management Group, the IT Project Manager and\n                                                                   each installation site to recertify CLAIMS 3 LAN\n                                                                   accounts and ensure a current and valid access\n                                                                   request form is filed. OIT will continue to work\n                                                                   with HCT to ensure their exit clearance process\n                                                                   includes procedures to promptly notify OIT when\n                                                                   employees leave or transfer. OIT will also finalize\n                                                                   the USCIS Account Management, Management\n                                                                   Directive (Agency Policy).\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we         The USCIS OIT will finalize the CLAIMS 3 LAN                    X          2\n 10-03    performed inquiry follow-up to determine the status of   and CLAIMS 4 Account Management Procedures\n          the prior year NFR and learned that the weakness still   that address account identification, set-up,\n\n  Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 12 \n\n\x0c                                                                                                                                   Appendix B\n                                               Department of Homeland Security\n \n\n                                      United States Citizenship and Immigration Services\n \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                               Condition                                           Recommendation\n #No.                                                                                                                      Issue    Issue    Rating\n          exist for incomplete or inadequate access request         recertification, and termination and access request\n          forms for CLAIMS 3 LAN and CLAIMS 4. USCIS                form maintenance. OIT will continue to work with\n          has begun some corrective action; however, these          the OIT Account Management Group, the IT\n          issues have not been fully remediated.                    Project Manager and each installation site to\n                                                                    recertify CLAIMS 3 LAN and CLAIMS 4\n                                                                    accounts and ensure a current and valid access\n                                                                    request form is filed.\nCIS-IT\xc2\xad   In FY 2009, KPMG performed an inspection of a             We recommend USCIS management issue and                          X          2\n 10-04    sample of personnel that had terminated/transferred       adhere to exit clearance policies and procedures to\n          from their employment with USCIS during the fiscal        be followed in the event of transfer, termination or\n          year. KPMG requested evidence that exit clearance         separation of federal and contract personnel.\n          forms were completed for each employee to determine       Resources should be made available to\n          USCIS        management\xe2\x80\x99s       compliance       with     communicate the updated procedures to personnel,\n          termination/transfer procedures.        Of the 28         train mission support staff who have a critical role\n          terminated/transferred USCIS personnel sampled,           in the updated process, and enforce and monitor\n          evidence of compliance with exit clearance procedures     compliance with the exit procedures and policies.\n          could not be provided for 19 employees.\n\n          During the FY 2010 financial statement audit, we\n          learned that USCIS Human Resource Division revised\n          the existing terminated/transferred procedures for exit\n          processing; however, the procedures have not been\n          approved nor implemented.\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we          The USCIS OIT will finalize the USCIS Media                      X          1\n 10-05    performed inquiry follow-up to determine the status of    Protection Management Directive and the USCIS\n          this weakness and learned that equipment and media        Media Protection Procedures and ensure they are\n          policies and procedures are not current. USCIS has        readily available to USCIS personnel. OIT will\n          begun some corrective action; however, these issues       continue to work with the Office of Administration\n          have not been fully remediated.                           to ensure there is a standardize process to label,\n                                                                    track, sanitize, refurbish, and/or destroy USCIS\n                                                                    media using approved equipment and software.\n\nCIS-IT\xc2\xad   During KPMG\xe2\x80\x99s internal vulnerability assessment of        USCIS will monitor the Mission Action Plans             X                   3\n 10-06    FFMS performed in August 2010, KPMG identified            (MAP) of the associated ICE NFRs: IT-10-12, IT\xc2\xad\n\n  Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 13 \n\n\x0c                                                                                                                                   Appendix B\n                                                Department of Homeland Security\n \n\n                                       United States Citizenship and Immigration Services\n \n\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                               Condition                                            Recommendation\n #No.                                                                                                                      Issue    Issue    Rating\n          several High/ Medium Risk vulnerabilities, related to      10-13, IT-10-14, IT-10-15 and request periodic\n          the following:                                             status updates.\n          \xef\xbf\xbd FFMS mainframe production databases were\n               installed and configured without baseline security\n               configurations, including the USCIS Oracle\n               instance\n          \xef\xbf\xbd FFMS servers have missing or inadequate patches\n\n          In addition, we found physical safeguard weaknesses\n          at the Clarksville Data Center (DC2), which impact\n          USCIS operations. Specifically, we determined the\n          following:\n               \xef\xbf\xbd Re-entry procedures after an emergency have\n                   been implemented; however, the procedures\n                   are not documented.\n               \xef\xbf\xbd FFMS server is inappropriately marked with\n                   a label that identifies the application/data on\n                   the server.\nCIS-IT\xc2\xad   During the FY 2009 financial statement audit, KPMG         The USCIS OIT will continue to evaluate the risk                X          2\n 10-07    performed inspection of the CLAIMS 4 password              imposed on the CLAIMS 4 system by not\n          configuration settings. Per our inspection, KPMG           changing the password history from 6 to 8. If it is\n          determined that CLAIMS 4 has been configured to            deemed that the risk is low, OIT will submit a\n          prohibit password reuse for 6 generations, which does      Waivers and Exceptions Request Form to the DHS\n          not meet the DHS 4300A requirement of 8 password           CISO. If the risk is deemed medium or high, OIT\n          generations. During the FY 2010 financial statement        will continue to implement the password changes\n          audit, we performed inquiry follow-up to determine         as outlined in the FY09 USCIS OIT Mission\n          the status of this weakness and learned that the           Action Plan (MAP).\n          weakness has not been remediated for CLAIMS4\n          password configuration. USCIS has begun some\n          corrective action; however, these issues have not been\n          fully remediated.\n\n\n\n\n  Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 14 \n\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security\n \n\n                                       United States Citizenship and Immigration Services\n \n\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n NFR                                                                                                                        New     Repeat   Severity\n                               Condition                                            Recommendation\n #No.                                                                                                                       Issue    Issue    Rating\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we           The USCIS OIT will continue to finalize the                      X          1\n 10-08    performed inquiry follow-up to determine the status of     Media Protection Procedures for the Vermont\n          this weakness and learned that ineffective safeguards      Service Center. OIT will test VSC\xe2\x80\x99s OIT Visitor\n          still exist over physical access to sensitive facilities   Policy and Procedures to ensure they address the\n          and resources. USCIS has begun some corrective             physical security concerns listed in the condition\n          action; however, these issues have not been fully          statement.\n          remediated.\nCIS-IT\xc2\xad   In FY 2009, we determined that the USCIS lacks             The OIT will continue to finalize the USCIS Audit                X          2\n 10-09    policies and procedures over audit logging of              and Accountability Management Directive and\n          application and server audit logs for CLAIMS 3 LAN         implement enterprise audit logging software. OIT\n          and CLAIMS 4 system. Specifically, we learned that         will ensure CLAIMS 3 LAN and CLAIMS 4 audit\n          CLAIMS3 LAN generates audit logs; however, the             logs are provided to the enterprise audit logging\n          USCIS does not require that the logs are reviewed or       software for analysis. Once the integration of\n          maintained. In addition, we determined that the USCIS      CLAIMS 3 LAN and CLAIMS 4 and the\n          does not have policies or procedures in place for          enterprise audit logging software is complete,\n          maintaining and reviewing the audit logs.           For    develop CLAIMS 3 LAN and CLAIMS 4 audit\n          CLAIMS4, we noted that CSC contractors capture and         and accountability procedures.\n          review the logs of user access to CLAIMS4; however,\n          no reviews of significant changes in the application or\n          to system files are conducted. Additionally, no\n          policies or procedures have been established for\n          conducting and monitoring the audit log reviews.\n\n          During the FY 2010 financial statement audit, we\n          learned that USCIS has begun some corrective action;\n          however, these issues have not been fully remediated.\n          Therefore, this finding is being reissued.\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we           The USCIS OIT will finalize the CLAIMS 4                         X          2\n 10-10    performed inquiry follow-up to determine the status of     Account Management Procedures that address\n          this weakness and learned that weak logical access         account identification, set-up, recertification, and\n          controls still exist over CLAIMS 4. USCIS has begun        termination and access request form maintenance.\n          some corrective action; however, these issues have not     OIT will continue to work with the OIT Account\n          been fully remediated.                                     Management Group, the IT Project Manager and\n                                                                     each installation site to recertify CLAIMS 4\n                                                                     accounts and ensure a current and valid access\n  Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 15 \n\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n \n\n                                      United States Citizenship and Immigration Services\n \n\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\n NFR                                                                                                                     New     Repeat   Severity\n                               Condition                                          Recommendation\n #No.                                                                                                                    Issue    Issue    Rating\n                                                                   request form is filed. OIT will also finalize the\n                                                                   USCIS Account Management, Management\n                                                                   Directive (Agency Policy).\n                                                                   OIT will continue to review CLAIMS 4 accounts\n                                                                   for those that have been inactive for 45 days\n                                                                   manually and to remove users that appear on the\n                                                                   Office of Human Capital and Training (HCT)\n                                                                   attrition bi-weekly list. OIT will continue to work\n                                                                   with HCT to ensure their exit clearance process\n                                                                   includes procedures to promptly notify OIT when\n                                                                   employees leave or transfer.\n                                                                   The HCT must finalize Exit Clearance Process\n                                                                   policies and procedures and ensure that these\n                                                                   documents are disseminated agency-wide.\n                                                                   Specifically, ensure that contracting officers,\n                                                                   contacting officers\xe2\x80\x99 technical representatives,\n                                                                   managers and supervisors are informed about these\n                                                                   documents and understand their importance.\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we         The USCIS OIT will continue to review CLAIMS                    X          2\n 10-11    performed inquiry follow-up to determine the status of   3 LAN accounts for those that have been inactive\n          this weakness and learned that CLAIMS3 LAN still         for 45 days manually and to remove user\xe2\x80\x99s that\n          lacks policy and procedures for separated employees.     appear on the HCT attrition bi-weekly list. OIT\n          USCIS has begun some corrective action; however,         will finalize the CLAIMS 3 LAN Account\n          these issues have not been fully remediated.             Management Procedures that address account\n                                                                   identification,    set-up,    recertification, and\n                                                                   termination and access request form maintenance.\n                                                                   OIT will continue to work with HCT to ensure\n                                                                   their exit clearance process includes procedures to\n                                                                   promptly notify OIT when employees leave or\n                                                                   transfer. OIT will also finalize the USCIS Account\n                                                                   Management Directive (Agency Policy).\n                                                                   The HCT must finalize Exit Clearance Process\n                                                                   policies and procedures and ensure that these\n  Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 16 \n\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security\n \n\n                                       United States Citizenship and Immigration Services\n \n\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n NFR                                                                                                                        New     Repeat   Severity\n                               Condition                                            Recommendation\n #No.                                                                                                                       Issue    Issue    Rating\n                                                                     documents are disseminated agency-wide.\n                                                                     Specifically, ensure that contracting officers,\n                                                                     contacting officers\xe2\x80\x99 technical representatives,\n                                                                     managers and supervisors are informed about these\n                                                                     documents and understand their importance.\nCIS-IT\xc2\xad   During the FY 2010 financial statement audit, we           For initial information security awareness training,             X          2\n 10-12    learned that the IT security awareness training            OIT will continue to update and provide training\n          weakness has not been remediated, therefore, this          materials for the HCT New Employee Orientation\n          finding was reissued.                                      Program (NEOP). The HCT should continue to\n                                                                     implement the NEOP agency-wide. HCT must\n                                                                     provide OIT a monthly report of all new hires and\n                                                                     the date they completed initial information security\n                                                                     awareness training during NEOP.\n\n                                                                     For annual information security awareness\n                                                                     refresher training, OIT will continue to use the\n                                                                     Department of Status (DOS) Computer Security\n                                                                     Awareness Training (CSAT) tool to provide\n                                                                     information security awareness training to all\n                                                                     USCIS employees with access to agency\n                                                                     information systems.\nCIS-IT\xc2\xad   During roll forward testing for the FY 2010 financial      OIT will finalize and issue the USCIS MD on             X                   2\n 10-13    statement audit, KPMG performed inspection of              Information System Account Management. The\n          ADEX access request forms. Per our inspection,             MD stipulates polices on records management of\n          KPMG determined that one out of the forty-five             access requests and standardizes the USCIS\n          access forms requested was not provided.                   Network Access Request Form.\n          Additionally, three out of the forty-five access forms\n          requested were created on the same day of the request.\nCIS-IT\xc2\xad   ICE \xc2\xad During KPMG\xe2\x80\x99s internal vulnerability                 USCIS will monitor the Mission Action Plan                       X          3\n 10-14    assessment efforts of ICE\xe2\x80\x99s ADEX network servers           (MAP) of the associated NFR# ICE-IT-10-16 and\n          and devices performed in August 2010, KPMG                 request periodic status updates.\n          identified a default installation and configurations for\n          the Hot Standby Router Protocol (HSRP) on the Cisco\n          routers.\n\n  Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                     Page 17 \n\n\x0c                                                                                                          Appendix B\n                                             Department of Homeland Security\n \n\n                                    United States Citizenship and Immigration Services\n \n\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\nNFR                                                                                             New       Repeat   Severity\n                            Condition                                 Recommendation\n#No.                                                                                            Issue      Issue    Rating\n       USCIS - Although USCIS does not have direct\n       responsibility for the controls over ADEX and ICE\n       financial applications, USCIS does have a\n       responsibility to proactively manage its service\n       provider relationship with ICE. USCIS should require\n       ICE to provide a detailed Corrective Action Plan\n       (CAP) containing the planned remediation of the\n       security vulnerabilities affecting USCIS data integrity.\n\n\n\n\n Information Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial Statement Audit \n\n                                                    Page 18 \n\n\x0c                                                                                   Appendix C\n                              Department of Homeland Security\n \n\n                     United States Citizenship and Immigration Services\n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n\n\n                                      Appendix C \n\n\n Status of Prior Year Notices of Findings and Recommendations and \n\n                           Comparison to \n\n  Current Year Notices of Findings and Recommendations at USCIS \n\n\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial \n\n                                      Statement Audit \n\n                                           Page 19 \n\n\x0c                                                                                                Appendix C\n                               Department of Homeland Security\n                      United States Citizenship and Immigration Services\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n\n                                                                                           Disposition\n NFR No.                                  Description                                Closed         Repeat\n\nCIS-IT-09-01   Inefficient definition and documentation of access roles at the\n                                                                                                     10-01\n               National Benefits Center for CLAIMS3 LAN\nCIS-IT-09-02   Periodic user access reviews are not performed for CLAIMS3\n                                                                                                     10-02\n               LAN users.\nCIS-IT-09-03   Incomplete or inadequate access request forms for CLAIMS3\n                                                                                                     10-03\n               LAN and CLAIMS4 system users.\nCIS-IT-09-04   Periodic Active Directory Exchange system administrator access\n                                                                                       X\n               reviews are not performed at USCIS.\nCIS-IT-09-06   Weak data center access controls exist                                  X\nCIS-IT-09-07   Equipment and media policies and procedures are not current.\n                                                                                                     10-05\nCIS-IT-09-08   Weak access controls for security software exist within the\n                                                                                       X\n               Password Issuance and Control System.\nCIS-IT-09-09   Weak access controls exist in CLAIMS3 LAN.                              X\nCIS-IT-09-10   Weak password configuration controls around CLAIMS4.                                  10-07\nCIS-IT-09-11   Background investigations are not conducted in a timely manner.         X\nCIS-IT-09-12   Procedures for transferred/terminated personnel exit processing\n                                                                                                     10-04\n               are not finalized\nCIS-IT-09-13   Ineffective safeguards over physical access to sensitive facilities\n                                                                                                     10-08\n               and resources\nCIS-IT-09-14   Weak access controls exist within FFMS                                  X\nCIS-IT-09-15   Lack of policies and procedures for CLAIMS 3 LAN and\n                                                                                                     10-09\n               CLAIMS 4 audit logs\nCIS-IT-09-16   Weak logical access controls exist over CLAIMS 4                                      10-10\nCIS-IT-09-17   Training for IT security personnel is not mandatory                     X\nCIS-IT-09-18   Lack of policies and procedures for separated CLAIMS3 LAN\n                                                                                                     10-11\n               accounts\nCIS-IT-09-19   IT Security Awareness Training compliance is not monitored\n                                                                                                     10-12\nCIS-IT-09-20   Default installation and configuration of Cisco routers on ICE\n                                                                                                     10-14\n               Network Impact USCIS Operations.\n\n\n\n\n    Information Technology Management Letter for the USCIS Component of the FY 2010 DHS \n\n                                 Financial Statement Audit \n\n                                          Page 20 \n\n\x0c                                                                                                                              Appendix D\n                                          Department of Homeland Security \n\n                                       Immigration and Customs Enforcement \n\n                                      Information Technology Management Letter\n                                                 September 30, 2009\n\n                                                                           I ....... 1"..."._ "\'Il_la"\'~.",\n                                                                           I ..   (ir"~.,,   . _ lor    ..,,,,,~    ...... .."oc,\n                                                                           1JM<.>:uJ\'\'\'\'\'~      "\'f.-""\'...    Or\n                                                                           \\10_ """" III       :"l,,~\n\n\n\n                                                                           U.S.Otlzenship\n                                                                           and Immigranon\n                                                                           Services\n\n\n\n\n Fcbruary 24. 2011\n\n Memorandum\n 1\'0:            Frank DefTer\n                 AssiSlanl Inspector General for Information Tcchnolog)\' Audits\n                 U.S. Department of I lomdand Sc<:urity\n\n                 Mark Sch\\\\urtL\n                 Chicflnfonnulion Offil:cr\n\n\n\n                                  .1=\n                 U.S. Citi.....cnship lind Immigration S...rvie\xe2\x80\xa2\xe2\x80\xa2::.\n\n                 Timothy Rosado~~\n                 Acting.. Chief         OniC\\.."\'r\n                 U.S. Citizenship and Immigralion s..\'n..ic(..":.\n\n SUBJECT: Informalion Technology Management Lcllt.\'T for the USCIS ComJXmcllt of\n          the FY 2010 DIIS Financial Slatemeni Audil\n\n We \\\\ould like 10 thank ~ou lor the opportunity to review and comment on the Information\n Tt.ochnology (IT) Muna~""l1Iellt Leller lor Ihe U.S. Cili7...enship and Immigrmion Services (Use IS)\n CumpoTk:llt for th.... FY 20 I0 DCpartllll.:llt of Homeland Socuril~ (OilS) Financial SlalcmCni\n Audit. USCIS "-\'quesls Ihat your Office mak.... the fol1u\\\\ing c1mllges to the Independcnl\n Auditor\'s Report.\n\n [xccpt for the items noted below. USCIS agn.."t."S und accepls all finding. comments. and\n conclusions cxpressed in this ".\'pon.\n\n          FINDI1\'\\\'GS CONTRIBUTING TO A MATERIAL WEAKNESS IN IT AT TilE\n                                DEI\'ARTM8\\.TT LEVEL\n\n O",dilion..~;Durillg thc FY 2010 DHS Financial Slatement AudiL we identitied the follo",lOg\n USCJS IT and financial system control dcficicnci..-s that in the aggregale significantl~ oontnbutc\n 10 the material weakness at the Dcpartmentlc\\.c1.\n\n Configuration Man.\'lgemCllt\n\n     \xe2\x80\xa2   Sccurit) eonfigur.ltion munagcnll:.\'m control deficiencies on ADEX. These contml\n         deficiencies included default installation and confi];urution sclling.s on the Cisco mute".\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial\n                                      Statement Audit \n\n                                           Page 21 \n\n\x0c                                                                                                                     Appendix D\n                                              Department of Homeland Security \n\n                                           Immigration and Customs Enforcement \n\n                                          Information Technology Management Letter\n                                                     September 30, 2009\n\n   Intonnation Technology Management Letter for the lJSCIS Component of the FY 2010 Dl-IS\n   Finaneinl Stmclllcnt Audit\n   Pnge 2\n\n\n   USCIS   SU~l.!csto:d Ch\'lllgC:\n\n\n       \xe2\x80\xa2   Secllrity cnnligLlTation manngcmcm control dcficicTlcie,.on ADEX. These control\n           l.kficiclll;ies indut.l\\.-"lJ default installation and configuration sctti ngs on IC1:\' s Ci5CO\n           rout<.:rs.\n\n   Rational: The indL\'pcndcnt auditors onl)< pcrfonm:d 11l.\xc2\xb7twork anu device: testing on I(\'E-s\n   equipment u!>ing: sonw:tr<: :->canning tools. USCIS doc~ nol ha"c tlK\' ovo.:r.,ight to manage lCE\'s\n   installation of equipment used for shared services.\n\n   Aect.\'Xs Control\n\n       \xe2\x80\xa2   The following aecowlt managcllwnt control                dl:.\xc2\xb7ficiCI~(\'ieS()\\ierADEX.   CLAIMS:; LAN.\n           and CI.AIMS 4:\n\n               o      User access is not documented and mamtmncd for AUL:X. CLAIMS 3 LAN. and\n                   CLAlM~ ~,\n\n\n       \xe2\x80\xa2   Laek of processes in place for !oianiti:t..atiun of c\'I uipmem and media.\n\n   lISCIS Suggested Change:\n\n       \xe2\x80\xa2   llw following account management conlrol deficiencies over ADEX. CLA tMS                       j   LAN.\n           and CLAIMS 4:\n\n               "      I lscr   lI{~ce"s   t"\'L\'tlllcst ronns are nut consistelltl:lo\' nnintuined for ADEX_ CLAIMS :;\n                      LA!\'. and CLAIMS 4.\n\n       \xe2\x80\xa2   Outd.ated d<x\'\xc2\xb7uIllI:nl..::d proco:sses lor s.1niti7....11ion of equipment and media.\n\n   I\\ational: For all t1l1"\'..--": inlonmtlioll s)slcms. USCIS PfO\\ ide:d ro,lgbly 90 percent of all rOn1~S\n   requestcd by the indcpend<.::nt auditor. User access n.:que:;ts are documented on USCIS Fonns\n   (j\xc2\xb7llfiO and O-R72. IJSCIS agu.\xc2\xb7cs that it nc:oos to improve the maintenance process ot\'these\n   fonns so that the) are ready available upon rL\'quL"SL\n\n   The ()nice of Information Tcchnology (OIT) purchast..-d approximately 100 dcgaulisers and\n   Im:dil1 :.uuiti:t...atiun :.oftware to cn:>urc Ilwdi,1 i:; :;aoiliLCd and de,gau5scd \'when appropriate. orl"\n   has dmll US-CIS Mcdia lJrotc,:ti{m jXllicit."S and procedures that support the implementation of\n   OIlS and National Institute of Standards and Technology policies. procedures. and stal1dards.\n   USCIS has media protection processes: hovl.c"cr. our doeumenwtion hu:; not bL"Cn finalized.\n\n   Securit\\ Management\n\n       \xe2\x80\xa2   IT Security training is not mandutory nOr is compliance monitorcd.\n\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial\n                                      Statement Audit \n\n                                           Page 22 \n\n\x0c                                                                                                             Appendix D\n                                      Department of Homeland Security\n \n\n                                   Immigration and Customs Enforcement \n\n                                  Information Technology Management Letter\n                                             September 30, 2009\n\n  lnfonnalion TechnQlogy M.mOlgcm~n1 Leller fN the USC1S Cumpon.:\'nl                  ofth~   FY 2010 DHS\n  Financial Stalement Audit\n  Pagc 1\n\n  USCI:;; SuggC"lcd Chanl!C:\n\n      \xe2\x80\xa2   IT Security Awan.:ncss training completion" an: n(,1 COlbiM,.. ntl~ 1ll0nitoll.-d.\n\n  Rational: USCIS\' Oflice oflluman CapiLaI and I ra\'ning (Ilel ) mamtains u Learning\n  \\-lana~cmcnt System (LMS) that:\n\n\n      \xe2\x80\xa2   maintf..ins all training rr:cord5 for USCIS emph\xc2\xbb)cc.s lind conlruetors.\n      \xe2\x80\xa2   provido.--:. computcr-bas;;.\'d tr.nning COurseS. nr.d\n      \xe2\x80\xa2   maint.:;ins employet.."S mandatory training plans.\n\n  The LM\' is c<lnfigured I[) ha... ~ the USCI"; ComplllCf Security Awarem.\'SS rr.sining (CSA-n\n  course on c\\-el") employee\'s mandatory lraininl! plan. On April 9. 2010. the LJ. CIS Acting Chi...,:-\n  Information OlTicer i~ued the Mand3lo~\' CSAT policy R\'quiring allLJSC S employees anJ\n  controlctors to complete CSt\\ T and enfo~ing the n:mo.. ul of network mlet o:m"i I ;tf:l\'"r"" for tho.....~\n  lh:.ll do r.ot co-nply with th...\xe2\x80\xa2 policy.\n\n  On June 23.2010.01 r implemented th<.: Dcpartmcm OfSlutc CSAT ""cb-b~-d tool to handle al\n  tracking and monitoring orCSAT completions. I his pro<!u~t uutOIll..ti~llll\'f monitors und notifies.\n  employees when to complete CSAT. En1ployees 31\'\\\' senl ,,,,cel:.I)\' em:til reminders until the\n  tmining b completl.-d.\n\n  Prior tu the impll\'l1lCnttllion of the DOS CSAT_ (he USCIS ACadem} monitored and trdek-cd\n  CSAT comph:Liulls in 111<\' Ll\'vlS. T ruining Coord ina(o...... lhrn.. ~hmll thr :lCf\'nl\'") were re"pon."ihlc\n  for cn:>uring all ....\xc2\xb7l11plo)-<.:...s curnplct<--d CSAT in Ihe LMS. \'lllC DOS CSA r product eliminates\n  th;,: nmnuu) trul,;"\'in~ of CSAT completion:> by Training Coordinnrors.\n\n  USCIS i.s cOl1l1nitt....-d to ,,:solving all control delicier.cies and \\V~nkncsse.s identified in tile :..udit\n  and Iw\\"c prer:un:d Mission Action Plans and Plan ofi\\ction lind /\'vlile.sIOn<.:.s 10 re-solve and\n  imrmvc the Agcncy\'s information technology contr<.lls.\n\n  IlselS appreciates the cooperation and rcspcctthat iuur :.tafTprovid<.:d during th..\xc2\xb7 cuurse of the\n  audit and looks forward to continuing our strollB working relationship \\\\ith your oOiw.\n\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial\n                                      Statement Audit \n\n                                           Page 23 \n\n\x0c                             Department of Homeland Security\n \n\n                          Immigration and Customs Enforcement \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n                    Report Distribution\n\n                    Department of Homeland Security\n\n                    Secretary\n                    Deputy Secretary\n                    General Counsel\n                    Chief of Staff\n                    Deputy Chief of Staff\n                    Executive Secretariat\n                    Under Secretary, Management\n                    Director, USCIS\n                    DHS Chief Information Officer\n                    DHS Chief Financial Officer\n                    Associate Director-Management, USCIS\n                    Acting Chief Financial Officer, USCIS\n                    Acting Chief Information Officer, USCIS\n                    Chief Information Security Officer\n                    Assistant Secretary for Office of Policy\n                    Assistant Secretary for Office of Public Affairs\n                    Assistant Secretary for Office of Legislative Affairs\n                    DHS GAO OIG Audit Liaison\n                    Chief Information Officer, Audit Liaison\n                    USCIS Audit Liaison\n\n                    Office of Management and Budget\n\n                    Chief, Homeland Security Branch\n                    DHS OIG Budget Examiner\n\n                    Congress\n\n                    Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInformation Technology Management Letter for the USCIS Component of the FY 2010 DHS Financial\n                                      Statement Audit\n                                           Page 24\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'